from __future__ import annotations

import os
import secrets


def validate_token(provided_token: str) -> None:
    """
    Ensure the caller supplied the expected bearer token.

    Args:
        provided_token: Token received from the MCP client.

    Raises:
        RuntimeError: If the server token is not configured.
        PermissionError: If the token is missing or incorrect.
    """
    expected_token = os.getenv("MCP_SERVER_TOKEN")
    if not expected_token:
        raise RuntimeError("MCP_SERVER_TOKEN environment variable must be set for authentication.")
    if not provided_token:
        raise PermissionError("Missing MCP access token.")
    if not secrets.compare_digest(provided_token, expected_token):
        raise PermissionError("Invalid MCP access token.")